News & Resources

Publications & Media

How to Stop the Bleeding, Hopefully Before it Starts

Data Privacy and Security Law Alert Heather L. Buchta

Unless you have been living under a rock, you will have noticed that there has been an overflow of news reports regarding the implications of the computer bug affecting OpenSSL, affectionately named, “Heartbleed.” If your company is running a website for third-party use, then this could present major issues that need to be addressed. What exactly does your company need to know about Heartbleed, and how can your company go about protecting itself not only from potential attackers, but from allegations of insufficient data security as well?

As has been widely reported, Heartbleed is a bug in OpenSSL that has left all versions of 1.0.1 up to 1.0.1f — as well as 1.0.2-beta1 — vulnerable to attack. Due to the fact that this bug has existed for two years, it is possible an attack has already happened without a trace. According to The Verge, “[t]he new bug would let attackers pull the private keys to the server, letting attackers listen in on data traffic and potentially masquerade as the server” (http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet). This could mean that your sensitive business data, as well as the sensitive data of your clients (such as PINS and passwords) could have been exposed and/or may still be vulnerable. CNET, one of the leading technology publishers suggests checking your website with LastPass.com (http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/). LastPass.com has developed a tool for testing your website to see if it is potentially vulnerable to attack due to the bug; this test is available here. If you find that your company’s website is vulnerable, the next step is to upgrade to the new OpenSSL 1.0.1g, which can be found at www.OpenSSL.org.

While this may seem like a labor-intensive process, not performing the upgrade, especially given the enormous press coverage, could leave you open to legal action. Generally, according to FTC in guidance, you should have security measures that are “reasonable and appropriate” (In re HTC Am. Inc., No. 122-3049). It could be argued that failing to address such a widely known bug is not taking such reasonable and appropriate measures. As always, data privacy and data security should be at the forefront of your company’s mind at all times, and lapses in strength of security could leave you open to both cyber attacks and government legal action.

The next question you should consider is the amount of transparency you should give customers regarding your website’s potential vulnerability to Heartbleed. Anyone can run a website through checks such as the one offered by LastPass. As a result, it is better your users hear of this issue from you than from their own efforts. Transparency of data privacy and data security measures is a must, whether it be your company’s privacy policy stating the data you are collecting and how you are using it, or whether your company is facing a potential security issues. Reach out to customers and inform them if your website is vulnerable to Heartbleed. Let customers know the steps your company is taking to remedy the problem and inform them as soon as the problem is fixed. This will not only help keep your company compliant with all necessary regulatory requirements, it will give your customers confidence that their data security is in your company’s best interest.

If you have questions regarding your company’s reaction to the news of Heartbleed or your company’s compliance with government mandated data privacy and security measures, please contact Maggie Utterback at (608) 283-2443 / margaret.utterback@quarles.com, Heather Buchta at (602) 229-5228 / heather.buchta@quarles.com, or your Quarles & Brady attorney.